PyRoMineIoT

PyRoMineIoT is a cryptocurrency-mining malware recently discovered by Fortinet researchers spreading via malicious website disguised as a security update for the victim's internet browser. Contained on the fraudulent website is a downloadable update.zip file that contains a downloader agent written in C#. When this file is executed, it downloads more components, including an IoT scanner, ChromePass functionality, the ETERNALROMANCE exploit, and the XMRig Monero miner. The ETERNALROMANCE exploit is used against the SMBv1 vulnerability to spread the malware to targets with the protocol running on ports exposed to the internet. The legitimate software "ChromePass" is used to collect credentials from the Chrome browser, which are saves to an XML file and uploaded to DriveHQ’s cloud storage service. The IoT device scanner component scans for devices in Iran and Saudi Arabia with the login credentials “admin” for both username and password and saves the IPs of the vulnerable device to the malware's C2 server to retrieve later. Lastly, PyRoMineIoT installs XMRig, a software that mines the cryptocurrency Monero by utilizing a system’s CPU power, onto victim machines.

Reference in this site to any specific commercial product, process, or service, or the use of any trade, firm or corporation name is for the information and convenience of the public, and does not constitute endorsement, recommendation, or favoring by the NJCCIC and the State of New Jersey.